Template Injection Vulnerability in Twig PHP Template Engine
CVE-2026-46634
7.7HIGH
What is CVE-2026-46634?
A template injection vulnerability exists in the Twig PHP template engine versions 3.9.0 through 3.26.0. The issue arises from the template_from_string() function, which compiles inner templates under synthesized names that may bypass the SourcePolicyInterface sandbox. This allows attackers to execute untrusted code by calling template_from_string or including additional templates, effectively rendering inner templates without the expected security policy enforcement. The vulnerability was resolved in version 3.26.0, emphasizing the need for users to update to this version or later to mitigate potential risks.
Affected Version(s)
Twig >= 3.9.0, < 3.26.0
